Hackers Have the Advantage Over IT Security Pros Thanks to Misaligned Incentives

A new report was recently released by Intel’s McAfee Security and the Center for Strategic and International Studies (CSIS), titled Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity. The authors of the survey talked to 800 cybersecurity professionals and used their answers to come to the conclusion that cybercriminals are afforded a huge advantage due to a misalignment of incentives. Here are some examples of what this means:

There is a disconnect between creating a strategy and implementing cybersecurity programs

The bureaucracy of the business is unable to keep up with free-wheeling criminal enterprises because it takes them too long to come to a decision

The senior executives and the people in charge of cybersecurity are being incentivised differently.

The report details each incentive that is giving cybercriminals the edge, as well as looking closer at cybercriminals and the ways in which they have jumped right over corporate cybersecurity.

There is a Booming Black-Hat Hacker Workforce

One thing noted by the authors of the report is that, even though above-board businesses are having trouble finding high quality cybersecurity professionals, there is no such problem for cybercriminals. The authors of the paper suggest that black hat hackers are creating incentives based on market forces, rather than organizational flatness.

Cybercriminals also have an advantage in terms of products. Innovation and adaption are fostered by the market economy of the criminal hacker ecosystem. It is different from the defensive market, where priorities can be affected by corporate hierarchy. The result is a slow moving bureaucratic process; much different from the decentralized, competitive, commoditized hacker market.

Black Hat Hackers Have Superior Products

Given that the digital underground market has so many qualified people creating/stealing high-quality black-hat products, it’s only natural to assume the underground market is flourishing; which is just what it’s doing. What might be a little unexpected is the sheer quality of the products. The report suggests the reason for the quality could be because of the decentralized, open nature of the market. This means that operators must steal, create, and sell only the latest and highest quality products in order to survive.

The authors of the study say that the top of the black market contains almost nothing but elite tech specialists with highly coveted zero-day exploits working as intermediaries and brokers passing high-dollar-value exploits between the buyers, the sellers, and even the government.

Even so, there’s still a lot happening on the lower-tiers of the black market. There’s plenty of demand out there for counterfeit goods, stolen financial information, spamming services, and other “exploits-as-a-service” businesses.

Why are Cybercriminals Finding Specialists?

Much like above-board security experts, cybercriminals understand the importance of employing specialists. It’s difficult for a cybercriminal to be a true Jack-of-All-Trades given the complex nature of the modern corporate infrastructure, better security systems, and the increased awareness of their potential victims. According to the report, the following are the most in-demand specialists:

Programmers needed to create malware

Web designers needed for the creation of malicious sites

Tech experts needed to maintain the servers, databases, etc. of the criminal infrastructure

Fraudsters needed to develop social engineering schemes such as spam and phishing

Intermediaries to collect all the stolen data, advertise it to their fellow cybercriminals, and sell it on or exchange it for some other illegal action

Much like an above-board cybersecurity team, the more people needed for a job means the mastermind gets a smaller cut. The authors of the paper note that the profits of a criminal business are divided between the specialists. One law-enforcement expert estimated that up to 90% of the money made through cybercrime go to the technical specialists and the money mules, rather than the mastermind who put the scheme together in the first place.

Vulnerabilities Are Always Needed

The main reason that black-hat hacker markets are always so adaptable is because this is what is needed to find, exploit, and leverage vulnerabilities before they get patched. One study shows that 42% of disclosed vulnerabilities will be exploited within 30 days of being disclosed. As soon as something is disclosed publicly, cybercriminals are already using it in their attacks and exploiting it.

This doesn’t mean that even older publicly disclosed vulnerabilities are not being leveraged. Never forget about the opportunistic nature of criminals. They will continue to focus on the lowest-hanging fruit. Rather than investing in vulnerability research and developing vulnerabilities – which can be costly – they will just make the most out of a publicly disclosed vulnerability to exploit an unpatched system.

So, What Can the Good Guys Do?

The authors of the report have some suggestions for organisations. They suggest that the good guys do the following to keep up with cybercriminals:

Using Security-as-a-Service to counter the operations of Cybercrime-as-a-Service. These services have the same flexibility as the cybercriminals.

Using specialised consultants to augment the corporate in-house team by providing them with more expertise and focusing their resources

Offering performance incentives and recognising the efforts of your cybersecurity team encourages them to create stronger defences and patch exploits faster

Continue to experiment to determine the ideal mixture of metrics and incentives for your organisation as each one is different

The Future Looks Bright for Cybersecurity

While all of this sounds like bad news, the authors of the report do suggest there is some good news. They say that more companies are beginning to recognize how serious the problem of cybersecurity is, and they are taking the necessary steps to address it. As the IAM solutions company, One Identity, has stated, “Static security, based on a collection of unlinked security factors, is no longer sufficient for controlling access.” The authors still warned that security tools and solution have a hard time keeping up with the cybercriminal market. While this can be inevitable, it can also be minimized by organizational innovation.